Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

Introduction to Unique Compliance Layer (PPT)

In the given context, the compliance layer refers to a set of principles, processes, and control structures established by Unique to comply with legal, regulatory, and internal requirements for our banking customers. It is a mechanism that protects the organisation from compliance breaches and ensures that it adheres to generally accepted market standards and codes of conduct and data protection principles, in Switzerland and Europe.

Overview

image-20240515-091629.png

Details on different layers

1A. Deployment Models

Different deployment models are available:

  1. Multi-tenant on Unique cloud

  2. Single/bank-specific tenant on Unique cloud

  3. Single/bank-specific tenant on bank cloud (customer-managed tenant)

  4. On-premise

1B. FSI Amendments

We also have in place recommended FSI amendments for our contracts with Microsoft. In detail:

  • M453 – FINMA. This is the financial service amendment (FSA) and jurisdiction-specific companion amendment (Switzerland) including FINMA requirements

like audit rights.

  • M744 – bank secrecy. This includes professional secrecy and industry-specific

terms regarding banking secrecy.

  • M329 – CH data protection. This is the amendment for Switzerland regarding

Microsoft products and services Data Protection Addendum)

1C. No data storage by Azure Open.AI services and opt-out of human review process

Unique closely partners with Microsoft to offer GenAI solutions in a secured and controlled environment: when working with Unique and using Microsoft Azure Open.AI Services, users are using an enterprise and private instance of Open.A’s ChatGPT packaged and hosted by Microsoft Switzerland (prompts and answered are not shared with Open.AI nor Microsoft).

Unique closely partners with Microsoft to offer GenAI solutions in a secured and controlled environment: when working with Unique and using Microsoft Azure Open.AI Services, users are using an enterprise and private instance of Open.AI’s ChatGPT packaged and hosted by Microsoft Switzerland (prompts and answered are not shared with Open.AI nor Microsoft; to be precise: Microsoft processes the data but never stores the data) as Unique choses to opt out of the logging and human review process in Azure Open AI service by Microsoft. This option is available for highly sensitive industries like FSI. This means that no data is stored by Microsoft Azure OpenAI services. If this opt-out is not chosen, the general data storage period from Microsoft is 30 days.

Microsoft Azure Open AI service are available in Switzerland, Europe and other countries (more information can be found here Azure OpenAI Service models - Azure OpenAI | Microsoft Learn).

In addition, Unique also follows Responsible AI Principles:

  • Privacy & Security: AI systems should be secure and respect privacy

  • Inclusiveness: AI systems should empower everyone and engage people

  • Accountability: People should be accountable for AI systems

  • Transparency: AI systems should be understandable

  • Fairness: AI systems should treat people fairly

  • Reliability & Safety: AI systems should perform reliably and safely

2. Data hosting location is Switzerland only

All client data (including CID) is stored and hosted in Switzerland (Microsoft Cloud in Switzerland North) if the client chooses so via a contractual agreement (other locations are also possible). For Azure OpenAI services, data is only processed and no data is stored at all times (see also opt-out of human review process).

We also performed a Transfer Impact Assessment for Microsoft Inc. according to the method of D. Rosenthal (leading Tech Lawyer in Switzerland). Results can be shared upon request.

3. Data Leakage Prevention (DLP)

Unique provides a powerful API designed to seamlessly integrate with clients' existing Data Leakage Prevention (DLP) program. This integration enables monitoring and protection of sensitive information, specifically focusing on client identifying data (CID) and personal identifying data (PII).

Key Features

  • Seamless Integration: Unique's API connects directly with clients' current DLP solution, enhancing its capabilities without the need for additional DLP software.

  • Monitoring: Continuously track and check for the insertion of CID and PII, ensuring any potential data leaks are detected and addressed promptly.

  • Enhanced Protection: Strengthen clients' data protection measures by leveraging existing DLP system to guard against the unauthorized dissemination of sensitive information.

For more details, please refer to Data Leakage Prevention (DLP) .

In addition: Unique and Microsoft do not use any client data for training purposes of AI or any other neural network models.

4. Restricted Access to data

We have built an access concept including processes and controls to ensure who can see what. In addition, clients can also choose how the processes and controls are auditable (e.g., via audit logs). Unique’s restricted access concept involves the following parts (which can be customized and adjusted to customer-specific setup and needs):

  • Role-based access based on the active directory of a bank

  • Privileged access management (PAM), privileged identity management (PIM)

  • Key management (done by Unique or bring your own key)

  • Encryption of data in transit and at rest

  • Audit logs

  • 2-Factor authentication

  • Strong password and login policy

  • Terms and Conditions for end-users

  • Regular threat modelling workshops

  • Enrolled in a bug bounty program

  • Additional security measures possible: e.g., MS Lockbox, Confidential Computing

5. Privacy by Design and Default

Privacy by design and default are fundamental principles for Unique, guiding our commitment to protecting client data. From the inception of our software solutions, during software development and also for UI/UX design, we prioritize the integration of robust privacy measures, ensuring that data protection is built into our products and services. This approach not only complies with Swiss and European data protection regulations but also fosters trust among our clients. By default, our systems are configured to prioritize user privacy, granting individuals control over their data while minimizing the need for additional user intervention.

We further place high importance on responsible AI and our AI-generated content is protected in several ways:

  1. Content Protection through AI-Generated Watermarks: Employ AI-generated watermarks to safeguard content integrity.

  2. End-User Terms and Conditions (T&Cs): Provide comprehensive Terms and
    Conditions for end-users, ensuring legal clarity.

  3. Client and Employee Training: Deliver training programs for both clients and
    employees to enhance security awareness and competence.

  4. Awareness Campaigns and Security Knowledge Sharing: Execute awareness campaigns and promote the sharing of security insights and best practices.

  5. AI Policy Implementation: Enforce a robust AI policy to govern responsible AI use within the organization.

  6. Adherence to OWASP Responsible AI Framework: Comply with the OWASP
    Responsible AI framework, ensuring ethical and secure AI practices.

6. Feedback loop

We have built in a feedback loop in all our Gen-AI based features. This is twofold:

  1. Empowering User Control (“Human in the Loop”): Users have the option to
    modify AI-generated output, ensuring control and also adding a personalized
    touch.

  2. Soliciting User Feedback on AI Output:
    • We encourage users to provide feedback on the AI-generated content to
    gauge its alignment with their expectations.
    • To maintain security, we caution users not to share any confidential information when providing feedback.

7. Skillset and training

Unique possesses specialized expertise in Swiss local law, demonstrating a comprehensive understanding of the legal landscape – both from a legal and IT security perspective. Our proficiency extends to the intricate realm of data protection specifications, ensuring compliance with stringent Swiss regulations at all times. Furthermore, our in-depth knowledge of FINMA guidelines underscores our commitment to offering solutions aligned with the intricacies of Switzerland’s financial regulatory framework. The accuracy of these claims will be validated through an external audit process, substantiated by both SOC 2/ ISAE 3000 Type 1 and 2 assessments and a FINMA report

Whitepaper on Compliance Layer

Link:

Author

Sina Wulfmeyer

 

  • No labels

© 2024 Unique AG. All rights reserved. Privacy PolicyTerms of Service